SACBO SpA and BGY International Services Srl (hereinafter also referred to as BIS) respectively hereby present their information concerning the processing of personal data of whistleblowers, persons reported, and any other third parties involved (hereinafter referred to as “Data Subjects”), carried out in relation to the management of whistleblowing reports governed by the “Whistleblowing Policy”.

PLEASE NOTE

It is stressed that policy no. 1 (“SACBO policy”) refers to the processing of personal data related to reports addressed to SACBO SpA.

Policy no. 2 (“BIS policy”), which follows the SACBO policy, refers instead to the processing of personal data related to reports addressed to BGY International Services Srl.

POLICY NO. 1 PURSUANT TO ARTS. 13 AND 14 OF REGULATION (EU) 2016/679 (“GDPR”) ON THE PROCESSING OF THE PERSONAL DATA OF WHISTLEBLOWERS, REPORTED SUBJECTS AND ANY OTHER THIRD PARTIES INVOLVED (“DATA SUBJECTS”), CARRIED OUT BY SACBO S.P.A. IN RELATION TO THE HANDLING OF REPORTS GOVERNED BY THE “WHISTLEBLOWING POLICY”.

SACBO S.p.A. (hereinafter also referred to as the “Data Controller”) hereby provides information on the processing of the personal data of whistleblowers, reported subjects and any other third parties involved (all “Data Subjects”, in accordance with current privacy legislation), carried out by the Data Controller in relation to the handling of whistleblowing reports governed by the “Whistleblowing Policy” (hereinafter, the “Policy”), published in the Policies area of the Whistleblowing platform.

Types of data processed

The Data Controller allows the making of substantiated reports of unlawful conduct of an administrative, accounting, civil or criminal nature, also pursuant to Italian Legislative Decree 231/2001.

Reports may be made either in the Whistleblower’s name or anonymously. In the case of reports made by name, at the choice of the Whistleblower, the latter’s personal data will be associated with the report. In the case of anonymous reports, the company’s IT systems will not be able to identify the reporter from the portal access point (IP address).

The available form allows the Whistleblower to indicate their personal data, in the case of reports made by name (specifically, personal and contact data), as well as the personal data of the reported person and/or of any third parties (hereinafter referred to as the “Data”).

Furthermore, with regards to this activity, special data (e.g., health-related data) and legal data (in particular, data relating to criminal offences) may also be processed if they are directly provided by the person making the report. These are not categories of data that are mandatory for the purposes of the report.

Source of personal data and categories of data collected by third parties

The Controller collects data through reports.

The Data of the Whistleblower, if any, are provided directly by the reporting party (and therefore acquired by the Controller from the data subject pursuant to article 13 of the GDPR); the data of the reported person and/or third parties are provided by the Whistleblower (and therefore acquired by the Controller from third parties pursuant to article 14 of the GDPR).

Whistleblowers may be employees and/or collaborators, directors, consultants and, in general, all stakeholders of the Controller or any person with a legitimate interest. Reports may be made either in the Whistleblower’s name or anonymously. With a view to enquiries, in the cases provided for by law, the reported person, pursuant to art. 14, paragraph 5(d) of the GDPR, may not immediately be made aware of the processing of their data by the Controller, while there is a risk of jeopardising the possibility of effectively verifying the merits of the complaint or gathering the necessary evidence.

Purposes of processing and legal basis

The personal data of the Data Subjects are processed for the purposes related to the application of the aforementioned Policy, with a view to the management of reports of unlawful conduct pursuant to Italian law no. 179 of 2017 and Italian Legislative Decree no. 24 of 10 March 2023.

The adoption of this Policy and the consequent processing of personal data therefore take place in order to comply with a legal obligation as set out in EU Directive 2019/1937 and implemented by Italian Legislative Decree 24/2023, which requires the Data Controller to provide appropriate channels for the submission of reports.

Special categories of personal data and judicial data will be processed for this purpose pursuant, respectively, to art. 9, paragraph 2(b) and article 10 of the GDPR.

With regard to any processing of personal data after the conclusion of the report analysis procedure, the legal basis is represented by the legitimate interests of the Data Controller in the exercising of its rights in all cases where this is necessary (e.g. reopening of legal proceedings, claims for damages related to the report), pursuant to article 6, paragraph 1, letter f).

Method and logic of processing and period of storage

Data processing is carried out manually (e.g., on paper) and/or by means of automated tools (the Whistleblowing platform), with logic related to the aforementioned purposes and, in any case, in such a manner as to guarantee data security and confidentiality.

Data are retained for a period of 5 years after the completion of all activities resulting from the establishment of the facts set out in the report, in the event that the report does not lead to the initiation of legal or disciplinary proceedings against the reported person or the Whistleblower. In the latter case, the data will be retained for the duration of the legal or out-of-court proceedings until the expiry of the time limit for appeals.

Data Controller, DPO, Data Processors and Persons authorised to carry out processing

The data controller is SACBO, with registered offices in via Orio al Serio 49/51 Grassobbio (BG).

SACBO has appointed a Data Protection Officer (hereinafter referred to as “DPO”) pursuant to articles 37-39 of the GDPR. The SACBO DPO can be contacted by email at: dpo@sacbo.it, by any Data Subject for any matter concerning their personal data and/or the exercising of their rights pursuant to articles 15 et seq. of the GDPR.

The Data Processor, pursuant to article 28 of the GDPR, is the company Digital PA S.r.l., with registered offices in Cagliari, via San Tommaso d’Acquino, 18/a, (email: privacy@digitalpa.it) which manages the Whistleblowing platform and SACBO, pursuant to articles 28 and 29 of the GDPR, provides the Data Processor with operating instructions to ensure the confidentiality and security of the processing of personal data, to guarantee compliance with applicable legislation and the protection of Data Subjects.

Persons authorised to process data by the Data Controller are the members of the Supervisory Board and of the Ethics and Anti-Corruption Committee and any company contacts.

Provision of data and consequences of refusal

Providing the data of the Whistleblower is mandatory to access the platform in “confidential mode”. Any refusal to provide data in this case would render it impossible to follow the procedure described in the Policy.

Provision of the Whistleblower’s data is optional for those accessing the platform in “anonymous mode”, but the reporting procedure can only be implemented if the relative reports are adequately substantiated and detailed, i.e., if they are able to bring to light facts and situations relating them to specific contexts.

Categories of third parties to which the data may be communicated

Autonomous data controllers to whom the processed data may be transmitted are: judicial authorities, external mandated lawyers, private investigation companies.

Right to access personal data and other rights of the Data subject

Data subjects may ask the Data Controller, by means of an email to privacy@sacbo.it, for access to the data concerning them, and the rectification, integration or erasure of the same, as well as restriction of processing or any other rights referred to in articles 15 to 22 of the GDPR, provided that the conditions to be indicated in the request are met.

This is, in any case, without prejudice to the existence of legitimate reasons that prevail over the interests, rights and freedoms of the Data subject, the ascertainment, exercising or defence of a right in a court of law or other legal obligations to be fulfilled by the Data Controller or any other provision of the Public Authorities or the Judicial Authorities or the Police. Data subjects also have the right to lodge a complaint with the Data Protection Authority in the event of illegitimate or unlawful processing of their data by the Controller.

Pursuant to article 2 undecies of Italian Legislative Decree no. 196/2003, as amended by Italian Legislative Decree no. 101/2018, the rights set out in articles 15 to 22 of the GDPR may not be exercised if this may result in effective and tangible prejudice to the confidentiality of the employee who reports unlawful conduct of which they have become aware due to their role. In said cases, the rights in question may be exercised through the Data Protection Authority (in the manner set out in article 160 of said Code), which will inform the Data subject that it has carried out all the necessary checks or has carried out a review, as well as of the Data subject’s right to appeal.

POLICY NO. 2 PURSUANT TO ARTS. 13 AND 14 OF REGULATION (EU) 2016/679 (“GDPR”) ON THE PROCESSING OF THE PERSONAL DATA OF WHISTLEBLOWERS, REPORTED SUBJECTS AND ANY OTHER THIRD PARTIES INVOLVED (“DATA SUBJECTS”), CARRIED OUT BY BGY INTERNATIONAL SERVICES SRL IN RELATION TO THE HANDLING OF REPORTS GOVERNED BY THE “WHISTLEBLOWING POLICY”.

BGY INTERNATIONAL SERVICES SRL (hereinafter also referred to as the “Data Controller”) hereby provides information on the processing of the personal data of whistleblowers, reported subjects and any other third parties involved (all “Data Subjects”, in accordance with current privacy legislation), carried out by the Data Controller in relation to the handling of whistleblowing reports governed by the “Whistleblowing Policy” (hereinafter referred to as the “Policy”), published in the Policy area of the Whistleblowing platform.

Types of data processed

The Data Controller allows the making of substantiated reports of unlawful conduct of an administrative, accounting, civil or criminal nature, also pursuant to Italian Legislative Decree 231/2001.

Reports may be made either in the Whistleblower’s name or anonymously. In the case of reports made by name, at the choice of the Whistleblower, the latter’s personal data will be associated with the report. In the case of anonymous reports, the company’s IT systems will not be able to identify the reporter from the portal access point (IP address).

The available form allows the Whistleblower to indicate their personal data, in the case of reports made by name (specifically, personal and contact data), as well as the personal data of the reported person and/or of any third parties (hereinafter referred to as the “Data”).

Furthermore, with regards to this activity, special data (e.g., health-related data) and legal data (in particular, data relating to criminal offences) may also be processed if they are directly provided by the person making the report. These are not categories of data that are mandatory for the purposes of the report.

Source of personal data and categories of data collected by third parties

The Controller collects data through reports.

The Data of the Whistleblower, if any, are provided directly by the reporting party (and therefore acquired by the Controller from the data subject pursuant to article 13 of the GDPR); the data of the reported person and/or third parties are provided by the Whistleblower (and therefore acquired by the Controller from third parties pursuant to article 14 of the GDPR).

Whistleblowers may be employees and/or collaborators, directors, consultants and, in general, all stakeholders of the Controller or any person with a legitimate interest. Reports may be made either in the Whistleblower’s name or anonymously. With a view to enquiries, in the cases provided for by law, the reported person, pursuant to art. 14, paragraph 5(d) of the GDPR, may not immediately be made aware of the processing of their data by the Controller, while there is a risk of jeopardising the possibility of effectively verifying the merits of the complaint or gathering the necessary evidence.

Purposes of processing and legal basis

The personal data of the Data Subjects are processed for the purposes related to the application of the aforementioned Policy, with a view to the management of reports of unlawful conduct pursuant to Italian law no. 179 of 2017 and Italian Legislative Decree no. 24 of 10 March 2023.

The adoption of this Policy and the consequent processing of personal data therefore take place in order to comply with a legal obligation as set out in EU Directive 2019/1937 and implemented by Italian Legislative Decree 24/2023, which requires the Data Controller to provide appropriate channels for the submission of reports.

Special categories of personal data and judicial data will be processed for this purpose pursuant, respectively, to art. 9, paragraph 2(b) and article 10 of the GDPR.

With regard to any processing of personal data after the conclusion of the report analysis procedure, the legal basis is represented by the legitimate interests of the Data Controller in the exercising of its rights in all cases where this is necessary (e.g. reopening of legal proceedings, claims for damages related to the report), pursuant to article 6, paragraph 1, letter f).

Method and logic of processing and period of storage

Data processing is carried out manually (e.g., on paper) and/or by means of the Whistleblowing platform, with logic related to the aforementioned purposes and, in any case, in such a manner as to guarantee data security and confidentiality.

Data are retained for a period of 5 years after the completion of all activities resulting from the establishment of the facts set out in the report, in the event that the report does not lead to the initiation of legal or disciplinary proceedings against the reported person or the Whistleblower. In the latter case, the data will be retained for the duration of the legal or out-of-court proceedings until the expiry of the time limit for appeals.

Data Controller, DPO, Data Processors and Persons authorised to carry out processing

The data controller is BGY INTERNATIONAL SERVICES SRL, with offices in via Orio al Serio 49/51 Grassobbio.

BGY INTERNATIONAL SERVICES has appointed a Data Protection Officer (hereinafter referred to as the “DPO”) pursuant to articles 37-39 of the GDPR. The DPO may be contacted via email to the address: dpo.bis@bgyis.it, by any Data Subject for any matter concerning their personal data and/or the exercising of their rights pursuant to articles 15 et seq. of the GDPR.

The Data processors pursuant to article 28 of the GDPR are:

• the company SACBO SpA, with offices in Grassobbio (Bergamo), via Orio al Serio 49/51 (email: privacy@sacbo.it), which handles reports.
• the company Digital PA S.r.l., with offices in Cagliari, via San Tommaso d’Acquino, 18/a (email: privacy@digitalpa.it) which manages the Whistleblowing platform.

BGY INTERNATIONAL SERVICES provides the Data Processor with operating instructions to ensure the confidentiality and security of the processing of personal data, to guarantee compliance with applicable legislation and the protection of Data Subjects. Persons authorised to process data by the Controller are the Supervisory Board, any other members of company bodies, or employees, where strictly necessary.

Provision of data and consequences of refusal

Providing the data of the Whistleblower is mandatory to access the platform in “confidential mode”. Any refusal to provide data in this case would render it impossible to follow the procedure described in the Policy.

Provision of the Whistleblower’s data is optional for those accessing the platform in “anonymous mode”, but the reporting procedure can only be implemented if the relative reports are adequately substantiated and detailed, i.e., if they are able to bring to light facts and situations relating them to specific contexts.

Categories of third parties to which the data may be communicated

Autonomous data controllers to whom the processed data may be transmitted are: judicial authorities, external mandated lawyers, private investigation companies.

Right to access personal data and other rights of the Data subject

Data subjects may ask the Data Controller, by means of an email to privacy@sacbo.it, for access to the data concerning them, and the rectification, integration or erasure of the same, as well as restriction of processing or any other rights referred to in articles 15 to 22 of the GDPR, provided that the conditions to be indicated in the request are met. This is, in any case, without prejudice to the existence of legitimate reasons that prevail over the interests, rights and freedoms of the Data subject, the ascertainment, exercising or defence of a right in a court of law or other legal obligations to be fulfilled by the Data Controller or any other provision of the Public Authorities or the Judicial Authorities or the Police. Data subjects also have the right to lodge a complaint with the Data Protection Authority in the event of illegitimate or unlawful processing of their data by the Controller. Pursuant to article 2 undecies of Italian Legislative Decree no. 196/2003, as amended by Italian Legislative Decree no. 101/2018, the rights set out in articles 15 to 22 of the GDPR may not be exercised if this may result in effective and tangible prejudice to the confidentiality of the employee who reports unlawful conduct of which they have become aware due to their role.

In said cases, the rights in question may be exercised through the Data Protection Authority (in the manner set out in article 160 of said Code), which will inform the Data subject that it has carried out all the necessary checks or has carried out a review, as well as of the Data subject’s right to appeal.